CVE-2021-21604

HIGH

Jenkins < 2.263.1 - Insecure Deserialization

Title source: rule

Description

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator.

References (1)

[Vendor Advisory] https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1923

Scores

CVSS v3 8.0

EPSS 0.0083

EPSS Percentile 74.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (3)

jenkins/jenkins < 2.263.1

jenkins/jenkins < 2.274

org.jenkins-ci.main/jenkins-core < 2.263.2Maven

Timeline

Published Jan 13, 2021

Tracked Since Feb 18, 2026